Exemple #1
0
        //Get bower packages from reading bower.json
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            var packages = new List <Package>();

            AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            JObject       json        = (JObject)JToken.Parse(config_file.ReadAsText());

            if (json.Properties().Any(j => j.Name == "name") && json.Properties().Any(j => j.Name == "version"))
            {
                packages.AddRange(GetDeveloperPackages(
                                      json.Properties().First(j => j.Name == "name").Value.ToString(),
                                      json.Properties().First(j => j.Name == "version").Value.ToString()));
            }
            JObject dependencies     = (JObject)json["dependencies"];
            JObject dev_dependencies = (JObject)json["devDependencies"];

            if (dev_dependencies != null)
            {
                packages.AddRange(dev_dependencies.Properties().SelectMany(d => GetDeveloperPackages(d.Name, d.Value.ToString())));
            }

            if (dependencies != null)
            {
                packages.AddRange(dependencies.Properties().SelectMany(d => GetDeveloperPackages(d.Name, d.Value.ToString())));
            }

            return(packages);
        }
        //Get  packages from reading composer.json
        public override IEnumerable <OSSIndexQueryObject> GetPackages(params string[] o)
        {
            AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            JObject       json        = (JObject)JToken.Parse(config_file.ReadAsText());
            JObject       require     = (JObject)json["require"];
            JObject       require_dev = (JObject)json["require-dev"];

            if (require != null)
            {
                if (require_dev != null)
                {
                    return(require.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First()))
                           .Concat(require_dev.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First()))));
                }
                else
                {
                    return(require.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First())));
                }
            }
            else if (require_dev != null)
            {
                return(require_dev.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First())));
            }
            else
            {
                this.AuditEnvironment.Warning("{0} file does not contain a require or require_dev element.", config_file.FullName);
                return(new List <OSSIndexQueryObject>());
            }
        }
Exemple #3
0
        public override IEnumerable <Package> GetPackages(params string[] o) ////Get NuGet packages from reading packages.config
        {
            AuditFileInfo configfile         = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            string        _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
            string        xml = configfile.ReadAsText();

            if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
            {
                var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
                xml = xml.Remove(0, lastIndexOfUtf8);
            }
            XElement root = XElement.Parse(xml);

            IEnumerable <Package> packages;

            if (root.Name.LocalName == "Project")
            {
                // dotnet core csproj file
                packages =
                    root
                    .Descendants()
                    .Where(x => x.Name.LocalName == "PackageReference")
                    .SelectMany(r => GetDeveloperPackages(r.Attribute("Include").Value, r.Attribute("Version").Value)).ToList();
            }
            else
            {
                packages =
                    root
                    .Elements("package")
                    .SelectMany(el => GetDeveloperPackages(el.Attribute("id").Value, el.Attribute("version").Value));
            }
            return(packages);
        }
Exemple #4
0
        protected override string GetVersion()
        {
            string    core_version = "8.x";
            Stopwatch sw           = new Stopwatch();

            sw.Start();
            AuditFileInfo changelog = this.ApplicationFileSystemMap["ChangeLog"] as AuditFileInfo;

            string[] c = changelog.ReadAsText()?.Split(this.AuditEnvironment.LineTerminator.ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
            if (c != null && c.Count() > 0)
            {
                foreach (string l in c)
                {
                    if (l.StartsWith("Drupal "))
                    {
                        core_version = l.Split(',')[0].Substring(7);
                        break;
                    }
                }
            }
            this.Version = core_version;
            sw.Stop();
            this.VersionInitialised = true;
            this.AuditEnvironment.Success("Got Drupal 8 version {0} in {1} ms.", this.Version, sw.ElapsedMilliseconds);
            Package core = this.ModulePackages["core"].Where(p => p.Name == "drupal_core").First();

            core.Version = this.Version;
            return(this.Version);
        }
 public override IEnumerable <Package> GetPackages(params string[] o) ////Get NuGet packages from reading packages.config
 {
     try
     {
         AuditFileInfo config_file        = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
         string        _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
         string        xml = config_file.ReadAsText();
         if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
         {
             var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
             xml = xml.Remove(0, lastIndexOfUtf8);
         }
         XElement root = XElement.Parse(xml);
         IEnumerable <Package> packages =
             from el in root.Elements("package")
             select new Package("nuget", el.Attribute("id").Value, el.Attribute("version").Value, "");
         return(packages);
     }
     catch (XmlException e)
     {
         throw new Exception("XML exception thrown parsing file: " + this.PackageManagerConfigurationFile, e);
     }
     catch (Exception e)
     {
         throw new Exception("Unknown exception thrown attempting to get packages from file: "
                             + this.PackageManagerConfigurationFile, e);
     }
 }
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            List <Package> packages              = new List <Package>();
            AuditFileInfo  config_file           = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            JObject        json                  = (JObject)JToken.Parse(config_file.ReadAsText());
            JObject        dependencies          = (JObject)json["dependencies"];
            JObject        dev_dependencies      = (JObject)json["devDependencies"];
            JObject        peer_dependencies     = (JObject)json["peerDependencies"];
            JObject        optional_dependencies = (JObject)json["optionalDependencies"];
            JObject        bundled_dependencies  = (JObject)json["bundledDependencies"];

            if (dependencies != null)
            {
                packages.AddRange(dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
            }
            if (dev_dependencies != null)
            {
                packages.AddRange(dev_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
            }
            if (peer_dependencies != null)
            {
                packages.AddRange(peer_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
            }
            if (optional_dependencies != null)
            {
                packages.AddRange(optional_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
            }
            if (bundled_dependencies != null)
            {
                packages.AddRange(bundled_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
            }
            return(packages);
        }
Exemple #7
0
        protected int GetDefaultConfigurationRules()
        {
            this.AuditEnvironment.Info("Loading default configuration rules for {0} application.", this.ApplicationLabel);
            Stopwatch sw = new Stopwatch();

            sw.Start();
            AuditFileInfo rules_file = this.HostEnvironment.ConstructFile(Path.Combine(this.DevAuditDirectory, "Rules", this.ApplicationId + "." + "yml"));

            if (!rules_file.Exists)
            {
                throw new Exception(string.Format("The default rules file {0} does not exist.", rules_file.FullName));
            }
            Deserializer yaml_deserializer = new Deserializer(namingConvention: new CamelCaseNamingConvention(), ignoreUnmatched: true);
            Dictionary <string, List <ConfigurationRule> > rules;

            rules = yaml_deserializer.Deserialize <Dictionary <string, List <ConfigurationRule> > >(new StringReader(rules_file.ReadAsText()));
            if (rules == null)
            {
                sw.Stop();
                throw new Exception(string.Format("Parsing the default rules file {0} returned null.", rules_file.FullName));
            }
            if (rules.ContainsKey(this.ApplicationId + "_default"))
            {
                rules.Remove(this.ApplicationId + "_default");
            }
            foreach (KeyValuePair <string, List <ConfigurationRule> > kv in rules)
            {
                this.AddConfigurationRules(kv.Key, kv.Value);
            }
            sw.Stop();
            this.AuditEnvironment.Info("Got {0} default configuration rule(s) for {1} module(s) from {2}.yml in {3} ms.", rules.Sum(kv => kv.Value.Count()), rules.Keys.Count, this.ApplicationId, sw.ElapsedMilliseconds);
            return(rules.Count);
        }
        public Drupal8ModuleCodeProject(Dictionary <string, object> project_options, EventHandler <EnvironmentEventArgs> message_handler) : base(project_options, message_handler, "Drupal8Module")
        {
            AuditFileInfo wf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", this.ProjectName + ".info" + ".yml"));

            if (!wf.Exists)
            {
                throw new ArgumentException(string.Format("The Drupal 8 module file {0} does not exist.", wf.FullName), "project_options");
            }
            else
            {
                this.WorkspaceFilePath = this.ProjectName + ".info" + ".yml";
            }
        }
        public List <VulnerableCredentialStorage> GetVulnerableCredentialStorage()
        {
            AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            JSONConfig    json_config = new JSONConfig(config_file);

            if (!json_config.ParseSucceded)
            {
                this.AuditEnvironment.Error("Could not parse JSON from {0}.", json_config.FullFilePath);
                if (json_config.LastParseException != null)
                {
                    this.AuditEnvironment.Error(json_config.LastParseException);
                }
                if (json_config.LastIOException != null)
                {
                    this.AuditEnvironment.Error(json_config.LastIOException);
                }
                return(null);
            }
            this.AuditEnvironment.Status("Scanning for git credential storage candidates in {0}", config_file.FullName);
            IEnumerable <XElement> candidate_elements =
                from e in json_config.XmlConfiguration.Root.Descendants()
                //where e.Value.Trim().StartsWith("git+https") || e.Value.Trim().StartsWith("git") || e.Value.Trim().StartsWith("https")
                where e.Elements().Count() == 0 && Utility.CalculateEntropy(e.Value) > 4.5
                select e;

            if (candidate_elements != null && candidate_elements.Count() > 0)
            {
                this.CredentialStorageCandidates = new List <VulnerableCredentialStorage>();
                foreach (XElement e in candidate_elements)
                {
                    this.CredentialStorageCandidates.Add(new VulnerableCredentialStorage
                    {
                        File     = config_file.FullName,
                        Contents = json_config,
                        Location = e.AncestorsAndSelf().Reverse().Select(a => a.Name.LocalName).Aggregate((a1, a2) => a1 + "/" + a2)
                                   .Replace("Container/", string.Empty),
                        Entropy = Utility.CalculateEntropy(e.Value),
                        Value   = e.Value
                    });
                }
                this.AuditEnvironment.Success("Found {0} credential storage candidates.", this.CredentialStorageCandidates.Count);
                return(this.CredentialStorageCandidates);
            }
            else
            {
                this.AuditEnvironment.Info("No credential storage candidates found.");
                return(null);
            }

            #endregion
        }
Exemple #10
0
        protected override void DetectConfigurationFile(Dictionary <PlatformID, string[]> default_configuration_file_path)
        {
            bool set_config_from_process_cmdline = false;
            bool set_config_from_env             = false;

            if (this.AuditEnvironment.IsUnix)
            {
                List <ProcessInfo> processes = this.AuditEnvironment.GetAllRunningProcesses();
                if (processes != null && processes.Any(p => p.CommandLine.Contains("postgres") && p.CommandLine.Contains("config_file")))
                {
                    ProcessInfo process = processes.Where(p => p.CommandLine.Contains("postgres") && p.CommandLine.Contains("config_file")).First();
                    Match       m       = Regex.Match(process.CommandLine, @"config_file=(\S+)");
                    if (m.Success)
                    {
                        string        f  = m.Groups[1].Value;
                        AuditFileInfo cf = this.AuditEnvironment.ConstructFile(f);
                        if (cf.Exists)
                        {
                            this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
                            this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
                            set_config_from_process_cmdline = true;
                        }
                        else
                        {
                            this.AuditEnvironment.Warning("The configuration file specified on the mysqld command line {0} does not exist.", cf.FullName);
                        }
                    }
                }
                if (!set_config_from_process_cmdline)
                {
                    Dictionary <string, string> env = this.AuditEnvironment.GetEnvironmentVars();
                    if (env != null)
                    {
                        if (env.ContainsKey("PGDATA"))
                        {
                            AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath(env["PGDATA"], "postgresql.conf"));
                            if (cf.Exists)
                            {
                                this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
                                this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
                                set_config_from_env = true;
                            }
                        }
                        if (!(set_config_from_process_cmdline || set_config_from_env))
                        {
                            base.DetectConfigurationFile(default_configuration_file_path);
                        }
                    }
                }
            }
        }
Exemple #11
0
        public CodeProject(Dictionary <string, object> project_options, EventHandler <EnvironmentEventArgs> message_handler, Dictionary <string, string[]> default_file_location_paths, string analyzer_type) : base(project_options, message_handler)
        {
            CallerInformation here = this.AuditEnvironment.Here();

            this.CodeProjectOptions       = project_options;
            this.DefaultFileLocationPaths = default_file_location_paths;
            if (this.CodeProjectOptions.ContainsKey("RootDirectory"))
            {
                if (!this.AuditEnvironment.DirectoryExists((string)this.CodeProjectOptions["RootDirectory"]))
                {
                    throw new ArgumentException(string.Format("The root directory {0} was not found.", CodeProjectOptions["RootDirectory"]), "package_source_options");
                }
                else
                {
                    this.CodeProjectFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory((string)CodeProjectOptions["RootDirectory"]));
                }
            }
            else
            {
                throw new ArgumentException(string.Format("The root application directory was not specified."), "application_options");
            }

            if (this.CodeProjectOptions.ContainsKey("ProjectName"))
            {
                this.ProjectName = (string)CodeProjectOptions["ProjectName"];
            }

            if (this.CodeProjectOptions.ContainsKey("File"))
            {
                string fn = (string)this.CodeProjectOptions["File"];
                if (!fn.StartsWith("@"))
                {
                    throw new ArgumentException("The workspace file parameter must be relative to the root directory for this audit target.", "project_options");
                }
                AuditFileInfo wf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", fn.Substring(1)));
                if (wf.Exists)
                {
                    this.WorkspaceFilePath = wf.FullName;
                }
                else
                {
                    throw new ArgumentException(string.Format("The workspace file {0} was not found.", wf.FullName), "project_options");
                }
            }
            this.AnalyzerType = analyzer_type;
            if (this.CodeProjectOptions.ContainsKey("ListCodeProjectAnalyzers"))
            {
                this.ListCodeProjectAnalyzers = true;
            }
        }
Exemple #12
0
        public AuditProfile(AuditEnvironment env, AuditFileInfo pf)
        {
            this.AuditEnvironment = env;
            this.ProfileFile      = pf;
            this.AuditEnvironment.Info("Using profile file {0}.", pf.FullName);
            Deserializer yaml_deserializer = new Deserializer(namingConvention: new CamelCaseNamingConvention(), ignoreUnmatched: true);

            try
            {
                this.Rules = yaml_deserializer.Deserialize <List <AuditProfileRule> >(new StringReader(this.ProfileFile.ReadAsText()));
                AuditEnvironment.Info("Loaded {0} rule(s) from audit profile.", this.Rules.Count);
            }
            catch (Exception e)
            {
                this.AuditEnvironment.Error(e, "Error occurred reading audit profile from {0}.", this.ProfileFile.FullName);
            }
        }
Exemple #13
0
        //Get bower packages from reading bower.json
        public override IEnumerable <OSSIndexQueryObject> GetPackages(params string[] o)
        {
            AuditFileInfo config_file      = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            JObject       json             = (JObject)JToken.Parse(config_file.ReadAsText());
            JObject       dependencies     = (JObject)json["dependencies"];
            JObject       dev_dependencies = (JObject)json["devDependencies"];

            if (dev_dependencies != null)
            {
                return(dependencies.Properties().Select(d => new OSSIndexQueryObject("bower", d.Name, d.Value.ToString(), ""))
                       .Concat(dev_dependencies.Properties().Select(d => new OSSIndexQueryObject("bower", d.Name, d.Value.ToString(), ""))));
            }
            else
            {
                return(dependencies.Properties().Select(d => new OSSIndexQueryObject("bower", d.Name, d.Value.ToString(), "")));
            }
        }
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            try
            {
                AuditFileInfo config_file        = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
                string        _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
                string        xml = config_file.ReadAsText();
                if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
                {
                    var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
                    xml = xml.Remove(0, lastIndexOfUtf8);
                }
                XElement root = XElement.Parse(xml);
                IEnumerable <Package> packages;

                if (root.Name == "Project")
                {
                    // dotnet core csproj file
                    packages = root.Descendants().Where(x => x.Name == "PackageReference").Select(r =>
                                                                                                  new Package("nuget", r.Attribute("Include").Value, r.Attribute("Version").Value)).ToList();
                }
                else
                {
                    packages =
                        from el in root.Elements("package")
                        select new Package("nuget", el.Attribute("id").Value, el.Attribute("version").Value, "");
                }



                return(packages);
            }
            catch (XmlException e)
            {
                throw new Exception("XML exception thrown parsing file: " + this.PackageManagerConfigurationFile, e);
            }
            catch (Exception e)
            {
                throw new Exception("Unknown exception thrown attempting to get packages from file: "
                                    + this.PackageManagerConfigurationFile, e);
            }
        }
Exemple #15
0
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            List <Package> packages              = new List <Package>();
            AuditFileInfo  config_file           = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            JObject        json                  = (JObject)JToken.Parse(config_file.ReadAsText());
            JObject        dependencies          = (JObject)json["dependencies"];
            JObject        dev_dependencies      = (JObject)json["devDependencies"];
            JObject        peer_dependencies     = (JObject)json["peerDependencies"];
            JObject        optional_dependencies = (JObject)json["optionalDependencies"];
            JObject        bundled_dependencies  = (JObject)json["bundledDependencies"];

            if (dependencies != null)
            {
                packages.AddRange(dependencies.Properties()
                                  .SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
            }
            if (dev_dependencies != null)
            {
                packages.AddRange(dev_dependencies.Properties()
                                  .SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
            }
            if (peer_dependencies != null)
            {
                packages.AddRange(peer_dependencies.Properties()
                                  .SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
            }
            if (optional_dependencies != null)
            {
                packages.AddRange(optional_dependencies.Properties()
                                  .SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
            }
            if (bundled_dependencies != null)
            {
                packages.AddRange(bundled_dependencies.Properties()
                                  .SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
            }
            if (!string.IsNullOrEmpty(this.PackageSourceLockFile))
            {
                this.GetPackageManagerLockFilePackages(packages);
            }
            return(packages);
        }
Exemple #16
0
        protected override IConfiguration GetConfiguration()
        {
            PostgreSQL pgsql = new PostgreSQL(this.ConfigurationFile, this.AlpheusEnvironment);

            if (pgsql.ParseSucceded)
            {
                this.Configuration            = pgsql;
                this.ConfigurationInitialised = true;
                this.AuditEnvironment.Success(this.ConfigurationStatistics);
                if (this.AuditEnvironment.OS.Platform == PlatformID.Unix)
                {
                    string auto_file_path = this.FindServerFile(this.CombinePath("@", "var", "lib", "*sql", "*", "postgresql.auto.conf")).FirstOrDefault();
                    if (!string.IsNullOrEmpty(auto_file_path))
                    {
                        AuditFileInfo auto_config_file = this.AuditEnvironment.ConstructFile(auto_file_path);
                        this.AuditEnvironment.Info("Found PostgreSQL server auto configuration file {0}.", auto_config_file.FullName);
                        PostgreSQL auto_pgsql = new PostgreSQL(auto_config_file);
                        if (auto_pgsql.ParseSucceded)
                        {
                            pgsql.XmlConfiguration.Root.Element("Values").Add(auto_pgsql.XmlConfiguration.Root.Element("Values").Descendants());
                            this.AuditEnvironment.Success("Merged configuration from {0}.", auto_pgsql.FullFilePath);
                        }
                    }
                }
                this.Configuration.XmlConfiguration.Root.Add(new XAttribute("Version", this.Version));
            }
            else
            {
                this.AuditEnvironment.Error("Could not parse configuration from {0}.", pgsql.FullFilePath);
                if (pgsql.LastParseException != null)
                {
                    this.AuditEnvironment.Error(pgsql.LastParseException);
                }
                if (pgsql.LastIOException != null)
                {
                    this.AuditEnvironment.Error(pgsql.LastIOException);
                }
                this.Configuration            = null;
                this.ConfigurationInitialised = false;
            }
            return(this.Configuration);
        }
Exemple #17
0
        protected override void DetectServerBinaryFile(Dictionary <PlatformID, string[]> autodetect_binary_file_path)
        {
            bool set_binary_from_process_cmdline = false;
            List <ProcessInfo> processes         = this.AuditEnvironment.GetAllRunningProcesses();

            if (processes != null && processes.Any(p => p.CommandLine == "postgres"))
            {
                string f = WhichServerFile("postgres");
                if (!string.IsNullOrEmpty(f))
                {
                    AuditFileInfo ab = this.AuditEnvironment.ConstructFile(f);
                    if (ab.Exists)
                    {
                        this.ApplicationBinary = ab;
                        this.AuditEnvironment.Success("Auto-detected PostgreSQL binary at {0}.", this.ApplicationBinary.FullName);
                        set_binary_from_process_cmdline = true;
                    }
                }
            }
            if (!set_binary_from_process_cmdline)
            {
                base.DetectServerBinaryFile(autodetect_binary_file_path);
            }
        }
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            AuditFileInfo  config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            List <Package> packages    = new List <Package>();


            var isSnlSolution  = config_file.Name.EndsWith(".sln");
            var isCsProj       = config_file.Name.EndsWith(".csproj");
            var isBuildTargets = config_file.Name.EndsWith(".Build.targets");
            var isDepsJson     = config_file.Name.EndsWith(".deps.json");

            if (isSnlSolution)
            {
                var   Content  = File.ReadAllText(this.PackageManagerConfigurationFile);
                Regex projReg  = new Regex("Project\\(\"\\{[\\w-]*\\}\"\\) = \"([\\w _]*.*)\", \"(.*\\.(cs|vcx|vb)proj)\"", RegexOptions.Compiled);
                var   matches  = projReg.Matches(Content).Cast <Match>();
                var   Projects = matches.Select(x => x.Groups[2].Value).ToList();
                for (int i = 0; i < Projects.Count; ++i)
                {
                    if (!Path.IsPathRooted(Projects[i]))
                    {
                        Projects[i] = Path.Combine(Path.GetDirectoryName(this.PackageManagerConfigurationFile),
                                                   Projects[i]);
                    }
                    Projects[i] = Path.GetFullPath(Projects[i]);
                }

                foreach (var project in Projects)
                {
                    var tmpProject = GetPackagesFromProjectFile(project, true);

                    if (tmpProject.Count != 0)
                    {
                        this.AuditEnvironment.Info($"Found {tmpProject.Count} packages in {project}");

                        foreach (var tmpPacket in tmpProject)
                        {
                            if (!packages.Contains(tmpPacket))
                            {
                                packages.Add(tmpPacket);
                            }
                        }
                    }
                }
                return(packages);
            }

            if (isCsProj || isBuildTargets)
            {
                return(GetPackagesFromProjectFile(this.PackageManagerConfigurationFile, isCsProj));
            }
            if (isDepsJson)
            {
                try
                {
                    this.AuditEnvironment.Info("Reading packages from .NET Core dependencies manifest..");
                    JObject json      = (JObject)JToken.Parse(config_file.ReadAsText());
                    JObject libraries = (JObject)json["libraries"];

                    if (libraries != null)
                    {
                        foreach (JProperty p in libraries.Properties())
                        {
                            string[] name = p.Name.Split('/');
                            // Packages with version 0.0.0.0 can show up if the are part of .net framework.
                            // Checking this version number is quite useless and might give a false positive.
                            if (name[1] != "0.0.0.0")
                            {
                                packages.Add(new Package("nuget", name[0], name[1]));
                            }
                        }
                    }
                    return(packages);
                }
                catch (Exception e)
                {
                    this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
                    return(packages);
                }
            }

            this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
            return(packages);
        }
        private List <Package> GetPackagesFromProjectFile(string filename, bool isCsProj)
        {
            List <Package> packages    = new List <Package>();
            AuditFileInfo  config_file = this.AuditEnvironment.ConstructFile(filename);

            var fileType = isCsProj ? ".csproj" : "build targets";

            this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file.");
            string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
            string xml = config_file.ReadAsText();

            if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
            {
                var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
                xml = xml.Remove(0, lastIndexOfUtf8);
            }
            XElement root = XElement.Parse(xml);

            var package = isCsProj ? "Include" : "Update";

            if (root.Name.LocalName == "Project")
            {
                packages =
                    root
                    .Descendants()
                    .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null)
                    .SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value))
                    .ToList();

                IEnumerable <string> skipped_packages =
                    root
                    .Descendants()
                    .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null)
                    .Select(r => r.Attribute(package).Value);

                if (skipped_packages.Count() > 0)
                {
                    this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
                                                  skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
                }
                var helper          = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName);
                var nuGetFrameworks = helper.GetFrameworks(root);

                if (!nuGetFrameworks.Any())
                {
                    AuditEnvironment.Warning("Scanning from project file found 0 packages, checking for packages.config file. ");
                    nuGetFrameworks = helper.GetFrameworks();
                }

                if (!nuGetFrameworks.Any())
                {
                    AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name);
                }

                foreach (var framework in nuGetFrameworks)
                {
                    AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString());
                    var deps = helper.GetPackageDependencies(packages, framework);
                    Task.WaitAll(deps);
                    packages = helper.AddPackageDependencies(deps.Result, packages);
                }
                return(packages);
            }
            else
            {
                this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
                return(packages);
            }
        }
Exemple #20
0
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            AuditFileInfo  config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            List <Package> packages    = new List <Package>();

            var isCsProj       = config_file.Name.EndsWith(".csproj");
            var isBuildTargets = config_file.Name.EndsWith(".Build.targets");
            var isDepsJson     = config_file.Name.EndsWith(".deps.json");

            if (isCsProj || isBuildTargets)
            {
                var fileType = isCsProj ? ".csproj" : "build targets";
                this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file.");
                string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
                string xml = config_file.ReadAsText();
                if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
                {
                    var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
                    xml = xml.Remove(0, lastIndexOfUtf8);
                }
                XElement root = XElement.Parse(xml);

                var package = isCsProj ? "Include" : "Update";

                if (root.Name.LocalName == "Project")
                {
                    packages =
                        root
                        .Descendants()
                        .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null)
                        .SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value))
                        .ToList();

                    IEnumerable <string> skipped_packages =
                        root
                        .Descendants()
                        .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null)
                        .Select(r => r.Attribute(package).Value);

                    if (skipped_packages.Count() > 0)
                    {
                        this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
                                                      skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
                    }
                    var helper          = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName);
                    var nuGetFrameworks = helper.GetFrameworks(root);

                    if (!nuGetFrameworks.Any())
                    {
                        AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name);
                    }

                    foreach (var framework in nuGetFrameworks)
                    {
                        AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString());
                        var deps = helper.GetPackageDependencies(packages, framework);
                        Task.WaitAll(deps);
                        packages = helper.AddPackageDependencies(deps.Result, packages);
                    }
                    return(packages);
                }
                else
                {
                    this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
                    return(packages);
                }
            }
            if (isDepsJson)
            {
                try
                {
                    this.AuditEnvironment.Info("Reading packages from .NET Core dependencies manifest..");
                    JObject json      = (JObject)JToken.Parse(config_file.ReadAsText());
                    JObject libraries = (JObject)json["libraries"];

                    if (libraries != null)
                    {
                        foreach (JProperty p in libraries.Properties())
                        {
                            string[] name = p.Name.Split('/');
                            // Packages with version 0.0.0.0 can show up if the are part of .net framework.
                            // Checking this version number is quite useless and might give a false positive.
                            if (name[1] != "0.0.0.0")
                            {
                                packages.Add(new Package("nuget", name[0], name[1]));
                            }
                        }
                    }
                    return(packages);
                }
                catch (Exception e)
                {
                    this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
                    return(packages);
                }
            }

            this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
            return(packages);
        }
Exemple #21
0
        public AuditTarget(Dictionary <string, object> audit_options, EventHandler <EnvironmentEventArgs> controller_message_handler = null)
        {
            if (ReferenceEquals(audit_options, null))
            {
                throw new ArgumentNullException("audit_options");
            }
            this.AuditOptions = audit_options;

            #region Setup host environment
            if (this.AuditOptions.ContainsKey("HostEnvironment"))
            {
                this.HostEnvironment            = (LocalEnvironment)this.AuditOptions["HostEnvironment"];
                this.HostEnvironmentInitialised = true;
            }
            else
            {
                this.ControllerMessage      = controller_message_handler;
                this.HostEnvironmentMessage = AuditTarget_HostEnvironmentMessageHandler;
                this.HostEnvironment        = new LocalEnvironment(this.HostEnvironmentMessage);
                this.HostEnvironment.ScriptEnvironment.MessageHandler += this.AuditTarget_ScriptEnvironmentMessageHandler;
                if (this.AuditOptions.ContainsKey("Dockerized"))
                {
                    this.HostEnvironment.IsDockerContainer = true;
                }
                this.HostEnvironmentInitialised = true;
            }
            #endregion

            #region Setup audit environment
            if (this.AuditOptions.ContainsKey("AuditEnvironment"))
            {
                this.AuditEnvironment           = (AuditEnvironment)this.AuditOptions["AuditEnvironment"];
                this.AuditEnvironmentIntialised = true;
            }
            else
            {
                if (this.AuditOptions.Keys.Contains("DockerContainer") && !this.AuditOptions.Keys.Contains("RemoteHost"))
                {
                    DockerAuditEnvironment docker_environment = new DockerAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                    if (string.IsNullOrEmpty(docker_environment.Container))
                    {
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("Failed to initialise audit environment.");
                    }
                    else if (!docker_environment.ContainerRunning)
                    {
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("The Docker container is not currently running and DevAudit does not know how to run your container. Ensure your container is running before attempting to" +
                                            "audit it.");
                    }
                    else
                    {
                        this.AuditEnvironment                 = docker_environment;
                        this.AuditEnvironmentIntialised       = true;
                        this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                        this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                        this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                    }
                }
                else if (this.AuditOptions.Keys.Contains("DockerContainer") && this.AuditOptions.Keys.Contains("RemoteHost"))
                {
                    SshDockerAuditEnvironment ssh_environment = null;
                    if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemoteKeyFile"))
                    {
                        if (this.AuditOptions.Keys.Contains("RemoteKeyPassPhrase"))
                        {
                            ssh_environment = new SshDockerAuditEnvironment(this.HostEnvironmentMessage, "ssh", (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                            (string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemoteKeyPassPhrase"], (string)this.AuditOptions["RemoteKeyFile"],
                                                                            (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                        }
                        else
                        {
                            ssh_environment = new SshDockerAuditEnvironment(this.HostEnvironmentMessage, "ssh", (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                            (string)this.AuditOptions["RemoteUser"], null, (string)this.AuditOptions["RemoteKeyFile"],
                                                                            (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                        }
                    }
                    else if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemotePass"))
                    {
                        ssh_environment = new SshDockerAuditEnvironment(this.HostEnvironmentMessage, "ssh", (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                        (string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemotePass"], null, (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                    }
                    else
                    {
                        throw new Exception("Unknown remote host authentication options.");
                    }

                    if (ssh_environment.IsConnected)
                    {
                        if (string.IsNullOrEmpty(ssh_environment.Container))
                        {
                            this.AuditEnvironmentIntialised = false;
                            throw new Exception("Failed to initialise audit environment.");
                        }
                        else if (!ssh_environment.ContainerRunning)
                        {
                            this.AuditEnvironmentIntialised = false;
                            throw new Exception("The Docker container is not currently running and DevAudit does not know how to run your container. Ensure your container is running before attempting to" +
                                                "audit it.");
                        }
                        else
                        {
                            this.AuditEnvironment                 = ssh_environment;
                            this.AuditEnvironmentIntialised       = true;
                            this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                            this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                            this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                        }
                    }
                    else
                    {
                        ssh_environment = null;
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("Failed to initialise SSH Docker audit environment.");
                    }
                }
                else if (this.AuditOptions.Keys.Contains("RemoteHost"))
                {
                    string client;
                    SshAuditEnvironment ssh_environment = null;
                    if (this.HostEnvironment.OS.Platform == PlatformID.Win32NT)
                    {
                        client = this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "plink" : this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "openssh" : "ssh";
                    }
                    else
                    {
                        client = "ssh";
                    }

                    if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemoteKeyFile"))
                    {
                        if (this.AuditOptions.Keys.Contains("RemoteKeyPassPhrase"))
                        {
                            ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                      (string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemoteKeyPassPhrase"], (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                        }
                        else
                        {
                            ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                      (string)this.AuditOptions["RemoteUser"], null, (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                        }
                    }
                    else if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemotePass"))
                    {
                        ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                  (string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemotePass"], null, new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                    }
                    else
                    {
                        throw new Exception("Unknown remote host authentication options.");
                    }

                    if (ssh_environment.IsConnected)
                    {
                        this.AuditEnvironment                 = ssh_environment;
                        this.AuditEnvironmentIntialised       = true;
                        this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                        this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                        this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                    }
                    else
                    {
                        ssh_environment = null;
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("Failed to initialise SSH audit environment.");
                    }
                }
                else if (this.AuditOptions.Keys.Contains("WinRmRemoteIp") || this.AuditOptions.Keys.Contains("WinRmRemoteHost"))
                {
                    if (!this.AuditOptions.Keys.Contains("RemoteUser") || !this.AuditOptions.Keys.Contains("RemotePass"))
                    {
                        throw new Exception("A remote user and password must be specified.");
                    }
                    WinRmAuditEnvironment winrm;
                    if (this.AuditOptions.Keys.Contains("WinRmRemoteIp"))
                    {
                        winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, this.AuditOptions["WinRmRemoteIp"] as IPAddress,
                                                          (string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
                        if (winrm.IsConnected)
                        {
                            this.AuditEnvironment                 = winrm;
                            this.AuditEnvironmentIntialised       = true;
                            this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                            this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                            this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                        }
                        else
                        {
                            winrm = null;
                            this.AuditEnvironmentIntialised = false;
                            throw new Exception("Failed to initialise WinRM audit environment.");
                        }
                    }
                    else
                    {
                        winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["WinRmRemoteHost"],
                                                          (string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
                    }
                }
                else if (this.AuditOptions.Keys.Contains("RemoteUser") || this.AuditOptions.Keys.Contains("RemotePass"))
                {
                    throw new Exception("A remote host name must be specified.");
                }
                else if (this.AuditOptions.ContainsKey("Dockerized"))
                {
                    this.AuditEnvironmentMessage    = AuditTarget_AuditEnvironmentMessageHandler;
                    this.AuditEnvironment           = new DockerizedLocalEnvironment(this.AuditEnvironmentMessage);
                    this.AuditEnvironmentIntialised = true;
                }
                else if (this.AuditOptions.ContainsKey("GitHubRepoName"))
                {
                    if (!this.AuditOptions.ContainsKey("GitHubRepoOwner") || !this.AuditOptions.ContainsKey("GitHubRepoBranch"))
                    {
                        throw new ArgumentException("A required audit option for the GitHub environment is missing.");
                    }
                    string user_api_token = string.Empty;
                    if (this.AuditOptions.ContainsKey("GitHubToken"))
                    {
                        user_api_token = (string)this.AuditOptions["GitHubToken"];
                    }
                    GitHubAuditEnvironment github_environment = new GitHubAuditEnvironment(this.HostEnvironmentMessage, user_api_token, (string)this.AuditOptions["GitHubRepoOwner"],
                                                                                           (string)this.AuditOptions["GitHubRepoName"], (string)this.AuditOptions["GitHubRepoBranch"], this.HostEnvironment);
                    if (github_environment.RepositoryInitialised)
                    {
                        this.AuditEnvironment                 = github_environment;
                        this.AuditEnvironmentIntialised       = true;
                        this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                        this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                        this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                    }
                    else
                    {
                        github_environment = null;
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("Failed to initialise GitHub audit environment.");
                    }
                }
                else if (this.AuditOptions.ContainsKey("GitLabRepoName"))
                {
                    string api_token = string.Empty;
                    if (!this.AuditOptions.ContainsKey("GitLabRepoUrl") || !this.AuditOptions.ContainsKey("GitLabRepoName") || !this.AuditOptions.ContainsKey("GitLabRepoBranch"))
                    {
                        throw new ArgumentException("A required audit option for the GitLab environment is missing.");
                    }
                    GitLabAuditEnvironment GitLab_environment = new GitLabAuditEnvironment(this.HostEnvironmentMessage, api_token, (string)this.AuditOptions["GitLabRepoUrl"],
                                                                                           (string)this.AuditOptions["GitLabRepoName"], (string)this.AuditOptions["GitLabRepoBranch"], this.HostEnvironment);
                    if (GitLab_environment.RepositoryInitialised)
                    {
                        this.AuditEnvironment                 = GitLab_environment;
                        this.AuditEnvironmentIntialised       = true;
                        this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                        this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                        this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                    }
                    else
                    {
                        GitLab_environment = null;
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("Failed to initialise audit environment.");
                    }
                }
                else
                {
                    this.AuditEnvironmentMessage    = AuditTarget_AuditEnvironmentMessageHandler;
                    this.AuditEnvironment           = new LocalEnvironment(this.AuditEnvironmentMessage);
                    this.AuditEnvironmentIntialised = true;
                }
                if (this.AuditOptions.ContainsKey("Profile"))
                {
                    AuditFileInfo pf = this.AuditEnvironment.ConstructFile((string)this.AuditOptions["Profile"]);
                    if (pf.Exists)
                    {
                        this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
                    }
                    else
                    {
                        this.AuditEnvironment.Warning("The profile file {0} does not exist. No audit profile will be used.", pf.FullName);
                    }
                }

                if (this.AuditEnvironment is IOperatingSystemEnvironment)
                {
                    this.AuditEnvironment.GetOSName();
                    this.AuditEnvironment.GetOSVersion();
                    if (this.AuditOptions.ContainsKey("OSName"))
                    {
                        this.AuditEnvironment.OSName = (string)this.AuditOptions["OSName"];
                        this.AuditEnvironment.Info("Overriding audit environment OS name to {0}.", this.AuditEnvironment.OSName);
                    }
                    if (this.AuditOptions.ContainsKey("OSVersion"))
                    {
                        this.AuditEnvironment.OSVersion = (string)this.AuditOptions["OSVersion"];
                        this.AuditEnvironment.Info("Overriding audit environment OS version to {0}.", this.AuditEnvironment.OSVersion);
                    }
                }
            }
            #endregion

            #region Setup data source options
            if (this.AuditOptions.ContainsKey("NoCache"))
            {
                this.DataSourceOptions.Add("NoCache", true);
            }

            if (this.AuditOptions.ContainsKey("DeleteCache"))
            {
                this.DataSourceOptions.Add("DeleteCache", true);
            }

            if (this.AuditOptions.ContainsKey("HttpsProxy"))
            {
                DataSourceOptions.Add("HttpsProxy", (Uri)this.AuditOptions["HttpsProxy"]);
            }

            if (this.AuditOptions.ContainsKey("IgnoreHttpsCertErrors"))
            {
                this.DataSourceOptions.Add("IgnoreHttpsCertErrors", true);
            }

            if (this.AuditOptions.ContainsKey("ApiUser"))
            {
                this.DataSourceOptions.Add("ApiUser", this.AuditOptions["ApiUser"]);
            }
            else if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("API_USER")))
            {
                this.DataSourceOptions.Add("ApiUser", Environment.GetEnvironmentVariable("API_USER"));
            }

            if (this.AuditOptions.ContainsKey("ApiToken"))
            {
                this.DataSourceOptions.Add("ApiToken", this.AuditOptions["ApiToken"]);
            }
            else if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("API_TOKEN")))
            {
                this.DataSourceOptions.Add("ApiToken", Environment.GetEnvironmentVariable("API_TOKEN"));
            }

            if (this.AuditOptions.ContainsKey("WithOSSI"))
            {
                this.DataSources.Add(new OSSIndexApiv3DataSource(this, DataSourceOptions));
            }

            if (this.AuditOptions.ContainsKey("WithVulners"))
            {
                this.DataSources.Add(new VulnersDataSource(this, DataSourceOptions));
            }
            #endregion

            #region Setup audit profile
            if (this.AuditEnvironment.FileExists("devaudit.yml"))
            {
                this.AuditProfile = new AuditProfile(this.AuditEnvironment, this.AuditEnvironment.ConstructFile("devaudit.yml"));
            }

            #endregion
        }
Exemple #22
0
        public void GetPackageManagerLockFilePackages(List <Package> packages)
        {
            int           origCount = packages.Count;
            AuditFileInfo f         = this.AuditEnvironment.ConstructFile(this.PackageSourceLockFile);
            string        text      = f.ReadAsText();

            string[]      lines      = text.Split(new[] { "\n" }, StringSplitOptions.None);
            bool          insideDeps = false;
            List <string> deps       = new List <string>();

            for (int i = 0; i < lines.Length; i++)
            {
                string line = lines[i];
                if (!insideDeps && line.Trim().StartsWith("dependencies:"))
                {
                    insideDeps = true;
                    continue;
                }

                else if (insideDeps && string.IsNullOrEmpty(line.Trim()) || line.Trim() == "optionalDependencies:")
                {
                    insideDeps = false;
                    continue;
                }
                else if (insideDeps)
                {
                    deps.Add(line);
                }
                else
                {
                    continue;
                }
            }
            foreach (var d in deps)
            {
                var m = dRegEx.Match(d);
                if (m.Success)
                {
                    string n           = m.Groups[1].Value.Replace("@", "").Trim();
                    string v           = m.Groups[2].Value.Trim();
                    var    depPackages = GetDeveloperPackages(n, v);
                    foreach (var package in depPackages)
                    {
                        if (!packages.Any(p => p.Name == package.Name && p.Version == package.Version))
                        {
                            packages.Add(package);
                        }
                    }
                }
                else
                {
                    this.AuditEnvironment.Error("Could not parse lock file dependency line {0}. Skipping.", d.Trim());
                }
            }
            //var m = l.Matches(text);
            if (packages.Count > origCount)
            {
                this.AuditEnvironment.Info("Added {0} package dependencies from Yarn lock file {1}.",
                                           packages.Count - origCount, this.PackageSourceLockFile);
            }
        }
Exemple #23
0
        public NetFxCodeProject(Dictionary <string, object> project_options, Dictionary <string, string[]> default_file_location_paths, string analyzer_type, EventHandler <EnvironmentEventArgs> message_handler)
            : base(project_options, message_handler, default_file_location_paths, analyzer_type)
        {
            this.message_handler = message_handler;
            if (this.CodeProjectOptions.ContainsKey("ProjectFile"))
            {
                string pf = (string)CodeProjectOptions["ProjectFile"];
                if (!pf.StartsWith("@"))
                {
                    throw new ArgumentException("ProjectFile option must be relative to root directory and start with the @ char.", "project_options");
                }
                AuditFileInfo wf = this.AuditEnvironment.ConstructFile(this.CombinePath(pf));
                if (wf.Exists)
                {
                    this.WorkspaceFilePath = pf;
                    this.CodeProjectFileSystemMap["RootDirectory"] = this.AuditEnvironment.ConstructDirectory(wf.Directory.FullName);
                }
                else
                {
                    throw new ArgumentException(string.Format("Could not find the MSBuild project file at {0}.", wf.FullName), "project_options");
                }
            }

            else if (this.CodeProjectOptions.ContainsKey("ProjectName"))
            {
                string fn_1 = this.CombinePath("@", (string)this.CodeProjectOptions["ProjectName"]); //CodeProjectName/CodeProjectName.xxx
                //string fn_2 = this.CombinePath("src", (string)this.CodeProjectOptions["CodeProjectName"], (string)this.CodeProjectOptions["CodeProjectName"]); //CodeProjectName/src/CodeProjectName.xxx
                AuditFileInfo wf_11 = this.AuditEnvironment.ConstructFile(fn_1 + ".csproj");
                AuditFileInfo wf_12 = this.AuditEnvironment.ConstructFile(fn_1 + ".xproj");
                //AuditFileInfo wf_21 = this.AuditEnvironment.ConstructFile(fn_2 + ".csproj");
                //AuditFileInfo wf_22 = this.AuditEnvironment.ConstructFile(fn_2 + ".xproj");

                if (wf_11.Exists)
                {
                    this.WorkspaceFilePath = "@" + (string)this.CodeProjectOptions["ProjectName"] + ".csproj";
                    this.CodeProjectFileSystemMap["RootDirectory"] = this.AuditEnvironment.ConstructDirectory(wf_11.Directory.FullName);
                }
                else if (wf_12.Exists)
                {
                    this.WorkspaceFilePath = "@" + (string)this.CodeProjectOptions["ProjectName"] + ".xproj";
                    this.CodeProjectFileSystemMap["RootDirectory"] = this.AuditEnvironment.ConstructDirectory(wf_12.Directory.FullName);
                }

                /*
                 * else if (wf_22.Exists)
                 * {
                 *  this.WorkspaceFilePath = this.CombinePath("src", (string)this.CodeProjectOptions["CodeProjectName"], (string)this.CodeProjectOptions["CodeProjectName"]) + ".xproj";
                 *  this.ProjectDirectory = wf_22.Directory as AuditDirectoryInfo;
                 *  this.CodeProjectFileSystemMap["RootDirectory"] = wf_22.Directory as AuditDirectoryInfo;
                 * }
                 */
                else
                {
                    throw new ArgumentException(string.Format("No ProjectFile option was specified and could not find the default project file at {0} or {1}.", wf_11.FullName, wf_12.FullName), "project_options");
                }
            }
            else
            {
                throw new ArgumentException("Either the ProjectFile or ProjectName option must be specified.", "project_options");
            }

            this.ProjectDirectory = this.RootDirectory;
            this.AuditEnvironment.Info("Using MSBuild project file {0}.", this.WorkspaceFilePath);

            //Ensure CSharp assembly gets pulled into build.
            var _ = typeof(Microsoft.CodeAnalysis.CSharp.Formatting.CSharpFormattingOptions);

            if (this.CodeProjectOptions.ContainsKey("PackageSource"))
            {
                AuditFileInfo packages_config = this.AuditEnvironment.ConstructFile(this.CombinePath((string)CodeProjectOptions["PackageSource"]));
                if (packages_config.Exists)
                {
                    this.AuditEnvironment.Debug("Using NuGet v2 package manager configuration file {0}", packages_config.FullName);
                    this.PackageSource = new NuGetPackageSource(new Dictionary <string, object>(1)
                    {
                        { "File", packages_config.FullName }
                    }, message_handler);
                    this.PackageSourceFile   = packages_config;
                    PackageSourceInitialized = true;
                }
                else
                {
                    throw new ArgumentException(string.Format("Could not find the NuGet v2 package source file at {0}.", packages_config.FullName), "project_options");
                }
            }
            else
            {
                AuditFileInfo packages_config = this.AuditEnvironment.ConstructFile(this.CombinePath("@packages.config"));
                if (packages_config.Exists)
                {
                    this.AuditEnvironment.Debug("Using NuGet v2 package manager configuration file {0}", packages_config.FullName);
                    this.PackageSource = new NuGetPackageSource(new Dictionary <string, object>(1)
                    {
                        { "File", packages_config.FullName }
                    }, message_handler);
                    this.PackageSourceFile   = packages_config;
                    PackageSourceInitialized = true;
                }

                else
                {
                    this.AuditEnvironment.Warning("No PackageSource option was specified and the default NuGet v2 package manager configuration file {0} does not exist.", packages_config.FullName);
                    PackageSourceInitialized = false;
                }
            }

            this.ConfigurationFiles = this.RootDirectory.GetFiles("*.config", SearchOption.TopDirectoryOnly).Select(f => f as AuditFileInfo).ToList();
            if (this.CodeProjectOptions.ContainsKey("AppConfig"))
            {
                AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath((string)this.CodeProjectOptions["AppConfig"]));
                if (!cf.Exists)
                {
                    throw new ArgumentException(string.Format("The .NET application configuration file {0} does not exist.", cf.FullName));
                }
                else
                {
                    this.AppConfigurationFile = cf;
                    this.AuditEnvironment.Info("Using .NET application configuration file {0}.", cf.FullName);
                }
            }
            else
            {
                AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath(this.DefaultFileLocationPaths["AppConfig"]));
                if (!cf.Exists)
                {
                    this.AuditEnvironment.Warning("The .NET application configuration file was not specified and the default file was not found.");
                }
                else
                {
                    this.AppConfigurationFile = cf;
                    this.AuditEnvironment.Info("Using default .NET application configuration file {0}.", cf.FullName);
                }
            }
            if (this.AppConfigurationFile != null)
            {
                this.GetApplication();
            }
        }
Exemple #24
0
        public PackageSource(Dictionary <string, object> package_source_options, EventHandler <EnvironmentEventArgs> message_handler) : base(package_source_options, message_handler)
        {
            this.PackageSourceOptions = this.AuditOptions;
            if (this.PackageSourceOptions.ContainsKey("File"))
            {
                this.PackageManagerConfigurationFile = (string)this.PackageSourceOptions["File"];
                if (!this.AuditEnvironment.FileExists(this.PackageManagerConfigurationFile))
                {
                    throw new ArgumentException("Could not find the file " + this.PackageManagerConfigurationFile + ".", "package_source_options");
                }
            }
            else if (!this.PackageSourceOptions.ContainsKey("File") && this.DefaultPackageManagerConfigurationFile != string.Empty)
            {
                if (this.AuditEnvironment.FileExists(this.DefaultPackageManagerConfigurationFile))
                {
                    this.AuditEnvironment.Info("Using default {0} package manager configuration file {1}", this.PackageManagerLabel, this.DefaultPackageManagerConfigurationFile);
                    this.PackageManagerConfigurationFile = this.DefaultPackageManagerConfigurationFile;
                }
                else
                {
                    throw new ArgumentException(string.Format("No file option was specified and the default {0} package manager configuration file {1} was not found.", this.PackageManagerLabel, this.DefaultPackageManagerConfigurationFile));
                }
            }

            if (!string.IsNullOrEmpty(this.PackageManagerConfigurationFile))
            {
                AuditFileInfo      cf = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
                AuditDirectoryInfo d  = this.AuditEnvironment.ConstructDirectory(cf.DirectoryName);
                IFileInfo[]        pf;
                if ((pf = d.GetFiles("devaudit.yml")) != null)
                {
                    this.AuditProfile = new AuditProfile(this.AuditEnvironment, this.AuditEnvironment.ConstructFile(pf.First().FullName));
                }
            }

            if (this.PackageSourceOptions.ContainsKey("ListPackages"))
            {
                this.ListPackages = true;
            }

            if (this.PackageSourceOptions.ContainsKey("ListArtifacts"))
            {
                this.ListArtifacts = true;
            }

            if (this.PackageSourceOptions.ContainsKey("SkipPackagesAudit"))
            {
                this.SkipPackagesAudit = true;
            }

            if (this.PackageSourceOptions.ContainsKey("WithPackageInfo"))
            {
                this.WithPackageInfo = true;
            }

            if (this.PackageSourceOptions.ContainsKey("HttpsProxy"))
            {
                if (this.AuditOptions.ContainsKey("HttpsProxy"))
                {
                    DataSourceOptions.Add("HttpsProxy", (Uri)this.PackageSourceOptions["HttpsProxy"]);
                }
            }

            string[] ossi_pms = { "bower", "composer", "choco", "msi", "nuget", "oneget", "yarn" };
            if (this.DataSources.Count == 0 && ossi_pms.Contains(this.PackageManagerId))
            {
                this.HostEnvironment.Info("Using OSS Index as default package vulnerabilities data source for {0} package source.", this.PackageManagerLabel);
                this.DataSources.Add(new OSSIndexDataSource(this, this.DataSourceOptions));
            }
        }
Exemple #25
0
        public NetFx4Application(Dictionary <string, object> application_options, Dictionary <string, string[]> required_files,
                                 Dictionary <string, string[]> required_directories, string analyzer_type, EventHandler <EnvironmentEventArgs> message_handler) : base(application_options,
                                                                                                                                                                       required_files, required_directories, analyzer_type, message_handler)
        {
            if (!this.SkipPackagesAudit)
            {
                if (application_options.ContainsKey("PackageSource"))
                {
                    application_options.Add("File", this.CombinePath((string)application_options["PackageSource"]));
                    this.NugetPackageSource       = new NuGetPackageSource(application_options, message_handler);
                    this.PackageSourceInitialized = true;
                    this.AuditEnvironment.Info("Using NuGet v2 package manager configuration file {0}", (string)application_options["PackageSource"]);
                }
                else if (application_options.ContainsKey("File"))
                {
                    application_options.Add("File", this.CombinePath((string)application_options["File"]));
                    this.NugetPackageSource       = new NuGetPackageSource(application_options, message_handler);
                    this.PackageSourceInitialized = true;
                    this.AuditEnvironment.Info("Using NuGet v2 package manager configuration file {0}", (string)application_options["File"]);
                }
                else
                {
                    AuditFileInfo packages_config = this.AuditEnvironment.ConstructFile(this.CombinePath("@packages.config"));
                    if (packages_config.Exists)
                    {
                        application_options.Add("File", packages_config.FullName);
                        this.NugetPackageSource       = new NuGetPackageSource(application_options, message_handler);
                        this.PackageSourceInitialized = true;
                        this.AuditEnvironment.Info("Using NuGet v2 package manager configuration file {0}", packages_config.FullName);
                    }

                    else
                    {
                        this.AuditEnvironment.Warning("The default NuGet v2 package manager configuration file {0} does not exist and no PackageSource parameter was specified.", packages_config.FullName);
                        PackageSourceInitialized = false;
                    }
                }
            }
            AuditFileInfo cf;

            if (this.ApplicationFileSystemMap.ContainsKey("AppConfig"))
            {
                this.AppConfig = this.ApplicationFileSystemMap["AppConfig"] as AuditFileInfo;
                this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
            }
            else if (application_options.ContainsKey("AppConfig"))
            {
                cf = this.AuditEnvironment.ConstructFile(this.CombinePath((string)application_options["AppConfig"]));
                if (cf.Exists)
                {
                    this.AppConfig = cf;
                    this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
                }
                else
                {
                    throw new ArgumentException(string.Format("The configuration file {0} does not exist.", cf.FullName), "application_options");
                }
            }
            else if (application_options.ContainsKey("ConfigurationFile"))
            {
                cf = this.AuditEnvironment.ConstructFile(this.CombinePath((string)application_options["ConfigurationFile"]));
                if (cf.Exists)
                {
                    this.AppConfig = cf;
                    this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
                }
                else
                {
                    throw new ArgumentException(string.Format("The configuration file {0} does not exist.", cf.FullName), "application_options");
                }
            }
            else if (this.AuditEnvironment.FileExists(this.CombinePath("@App.config")))
            {
                cf             = this.AuditEnvironment.ConstructFile(this.CombinePath(("@App.config")));
                this.AppConfig = cf;
                this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
            }
            else if (this.ApplicationBinary != null)
            {
                cf = this.AuditEnvironment.ConstructFile(this.ApplicationBinary.FullName + ".config");
                if (!cf.Exists)
                {
                    this.AuditEnvironment.Warning("The default .NET application configuration file {0} does not exist and no AppConfig parameter was specified.", cf.FullName);
                }
                else
                {
                    this.AppConfig = cf;
                    this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
                }
            }
            else
            {
                this.AuditEnvironment.Warning("The default .NET application configuration file could not be determined and no AppConfig parameter was specified.");
            }
            if (this.PackageSourceInitialized && this.DataSources.Count == 0)
            {
                // this.DataSources.Add(new OSSIndexDataSource(this, this.DataSourceOptions));
                this.DataSources.Add(new OSSIndexApiv3DataSource(this, DataSourceOptions));
            }
        }
Exemple #26
0
        public AuditTarget(Dictionary <string, object> audit_options, EventHandler <EnvironmentEventArgs> controller_message_handler = null)
        {
            if (ReferenceEquals(audit_options, null))
            {
                throw new ArgumentNullException("audit_options");
            }
            this.AuditOptions           = audit_options;
            this.ControllerMessage      = controller_message_handler;
            this.HostEnvironmentMessage = AuditTarget_HostEnvironmentMessageHandler;
            this.HostEnvironment        = new LocalEnvironment(this.HostEnvironmentMessage);
            this.HostEnvironment.ScriptEnvironment.MessageHandler += this.AuditTarget_ScriptEnvironmentMessageHandler;
            if (this.AuditOptions.ContainsKey("Dockerized"))
            {
                this.HostEnvironment.IsDockerContainer = true;
            }
            this.HostEnvironmentInitialised = true;
            if (this.AuditOptions.Keys.Contains("DockerContainer"))
            {
                DockerAuditEnvironment docker_environment = new DockerAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                if (string.IsNullOrEmpty(docker_environment.Container))
                {
                    this.AuditEnvironmentIntialised = false;
                    throw new Exception("Failed to initialise audit environment.");
                }
                else if (!docker_environment.ContainerRunning)
                {
                    this.AuditEnvironmentIntialised = false;
                    throw new Exception("The Docker container is not currently running and DevAudit does not know how to run your container. Ensure your container is running before attempting to" +
                                        "audit it.");
                }
                else
                {
                    this.AuditEnvironment                 = docker_environment;
                    this.AuditEnvironmentIntialised       = true;
                    this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                    this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                    this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                }
            }
            else if (this.AuditOptions.Keys.Contains("RemoteHost"))
            {
                string client;
                SshAuditEnvironment ssh_environment = null;

                if (this.HostEnvironment.OS.Platform == PlatformID.Win32NT)
                {
                    client = this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "plink" : this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "openssh" : "ssh";
                }
                else
                {
                    client = "ssh";
                }

                if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemoteKeyFile"))
                {
                    if (this.AuditOptions.Keys.Contains("RemoteKeyPassPhrase"))
                    {
                        ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                  (string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemoteKeyPassPhrase"], (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                    }
                    else
                    {
                        ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                                  (string)this.AuditOptions["RemoteUser"], null, (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                    }
                }
                else if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemotePass"))
                {
                    ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
                                                              (string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemotePass"], null, new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
                }
                else
                {
                    throw new Exception("Unknown remote host authentication options.");
                }

                if (ssh_environment.IsConnected)
                {
                    this.AuditEnvironment                 = ssh_environment;
                    this.AuditEnvironmentIntialised       = true;
                    this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                    this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                    this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                }
                else
                {
                    ssh_environment = null;
                    this.AuditEnvironmentIntialised = false;
                    throw new Exception("Failed to initialise SSH audit environment.");
                }
            }
            else if (this.AuditOptions.Keys.Contains("WinRmRemoteIp") || this.AuditOptions.Keys.Contains("WinRmRemoteHost"))
            {
                if (!this.AuditOptions.Keys.Contains("RemoteUser") || !this.AuditOptions.Keys.Contains("RemotePass"))
                {
                    throw new Exception("A remote user and password must be specified.");
                }
                WinRmAuditEnvironment winrm;
                if (this.AuditOptions.Keys.Contains("WinRmRemoteIp"))
                {
                    winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, this.AuditOptions["WinRmRemoteIp"] as IPAddress,
                                                      (string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
                    if (winrm.IsConnected)
                    {
                        this.AuditEnvironment                 = winrm;
                        this.AuditEnvironmentIntialised       = true;
                        this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                        this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                        this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                    }
                    else
                    {
                        winrm = null;
                        this.AuditEnvironmentIntialised = false;
                        throw new Exception("Failed to initialise WinRM audit environment.");
                    }
                }
                else
                {
                    winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["WinRmRemoteHost"],
                                                      (string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
                }
            }
            else if (this.AuditOptions.Keys.Contains("RemoteUser") || this.AuditOptions.Keys.Contains("RemotePass"))
            {
                throw new Exception("A remote host name must be specified.");
            }
            else if (this.AuditOptions.ContainsKey("Dockerized"))
            {
                this.AuditEnvironmentMessage    = AuditTarget_AuditEnvironmentMessageHandler;
                this.AuditEnvironment           = new DockerizedLocalEnvironment(this.AuditEnvironmentMessage);
                this.AuditEnvironmentIntialised = true;
            }
            else if (this.AuditOptions.ContainsKey("GitHubRepoName"))
            {
                if (!this.AuditOptions.ContainsKey("GitHubRepoOwner") || !this.AuditOptions.ContainsKey("GitHubRepoBranch"))
                {
                    throw new ArgumentException("A required audit option for the GitHub environment is missing.");
                }
                string user_api_token = string.Empty;
                if (this.AuditOptions.ContainsKey("GitHubToken"))
                {
                    user_api_token = (string)this.AuditOptions["GitHubToken"];
                }
                GitHubAuditEnvironment github_environment = new GitHubAuditEnvironment(this.HostEnvironmentMessage, user_api_token, (string)this.AuditOptions["GitHubRepoOwner"],
                                                                                       (string)this.AuditOptions["GitHubRepoName"], (string)this.AuditOptions["GitHubRepoBranch"], this.HostEnvironment);
                if (github_environment.RepositoryInitialised)
                {
                    this.AuditEnvironment                 = github_environment;
                    this.AuditEnvironmentIntialised       = true;
                    this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                    this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                    this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                }
                else
                {
                    github_environment = null;
                    this.AuditEnvironmentIntialised = false;
                    throw new Exception("Failed to initialise GitHub audit environment.");
                }
            }
            else if (this.AuditOptions.ContainsKey("GitLabRepoName"))
            {
                string api_token = string.Empty;
                if (!this.AuditOptions.ContainsKey("GitLabRepoUrl") || !this.AuditOptions.ContainsKey("GitLabRepoName") || !this.AuditOptions.ContainsKey("GitLabRepoBranch"))
                {
                    throw new ArgumentException("A required audit option for the GitLab environment is missing.");
                }
                GitLabAuditEnvironment GitLab_environment = new GitLabAuditEnvironment(this.HostEnvironmentMessage, api_token, (string)this.AuditOptions["GitLabRepoUrl"],
                                                                                       (string)this.AuditOptions["GitLabRepoName"], (string)this.AuditOptions["GitLabRepoBranch"], this.HostEnvironment);
                if (GitLab_environment.RepositoryInitialised)
                {
                    this.AuditEnvironment                 = GitLab_environment;
                    this.AuditEnvironmentIntialised       = true;
                    this.AuditEnvironmentMessage          = AuditTarget_AuditEnvironmentMessageHandler;
                    this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
                    this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
                }
                else
                {
                    GitLab_environment = null;
                    this.AuditEnvironmentIntialised = false;
                    throw new Exception("Failed to initialise audit environment.");
                }
            }
            else
            {
                this.AuditEnvironmentMessage    = AuditTarget_AuditEnvironmentMessageHandler;
                this.AuditEnvironment           = new LocalEnvironment(this.AuditEnvironmentMessage);
                this.AuditEnvironmentIntialised = true;
            }
            if (this.AuditOptions.ContainsKey("Profile"))
            {
                AuditFileInfo pf = this.AuditEnvironment.ConstructFile((string)this.AuditOptions["Profile"]);
                if (pf.Exists)
                {
                    this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
                }
                else
                {
                    this.AuditEnvironment.Warning("The profile file {0} does not exist. No audit profile will be used.", pf.FullName);
                }
            }
        }
Exemple #27
0
        public Application(Dictionary <string, object> application_options, Dictionary <string, string[]> RequiredFileLocationPaths, Dictionary <string, string[]> RequiredDirectoryLocationPaths, EventHandler <EnvironmentEventArgs> message_handler) : base(application_options, message_handler)
        {
            this.ApplicationOptions = application_options;
            if (this.ApplicationOptions.ContainsKey("RootDirectory"))
            {
                if (!this.AuditEnvironment.DirectoryExists((string)this.ApplicationOptions["RootDirectory"]))
                {
                    throw new ArgumentException(string.Format("The root directory {0} was not found.", this.ApplicationOptions["RootDirectory"]), "package_source_options");
                }
                else
                {
                    this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory((string)this.ApplicationOptions["RootDirectory"]));
                }
            }
            else
            {
                this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory(this.AuditEnvironment.PathSeparator));
            }

            this.RequiredFileLocations      = RequiredFileLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);
            this.RequiredDirectoryLocations = RequiredDirectoryLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);

            foreach (KeyValuePair <string, string> f in RequiredFileLocations)
            {
                if (!this.ApplicationOptions.ContainsKey(f.Key))
                {
                    if (string.IsNullOrEmpty(f.Value))
                    {
                        throw new ArgumentException(string.Format("The required application file {0} was not specified and no default path exists.", f), "application_options");
                    }
                    else
                    {
                        string fn = CombinePath(f.Value);
                        if (!this.AuditEnvironment.FileExists(fn))
                        {
                            throw new ArgumentException(string.Format("The default path {0} for required application file {1} does not exist.",
                                                                      fn, f.Key), "application_options");
                        }
                        else
                        {
                            this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
                        }
                    }
                }
                else
                {
                    string fn = CombinePath((string)ApplicationOptions[f.Key]);
                    if (!this.AuditEnvironment.FileExists(fn))
                    {
                        throw new ArgumentException(string.Format("The required application file {0} was not found.", f), "application_options");
                    }
                    else
                    {
                        this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
                    }
                }
            }

            foreach (KeyValuePair <string, string> d in RequiredDirectoryLocations)
            {
                string dn = CombinePath(d.Value);
                if (!this.ApplicationOptions.ContainsKey(d.Key))
                {
                    if (string.IsNullOrEmpty(d.Value))
                    {
                        throw new ArgumentException(string.Format("The required application directory {0} was not specified and no default path exists.", d.Key), "application_options");
                    }
                    else
                    {
                        if (!this.AuditEnvironment.DirectoryExists(dn))
                        {
                            throw new ArgumentException(string.Format("The default path {0} for required application directory {1} does not exist.",
                                                                      dn, d.Key), "application_options");
                        }
                        else
                        {
                            this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
                        }
                    }
                }
                else
                {
                    dn = CombinePath((string)ApplicationOptions[d.Key]);
                    if (!this.AuditEnvironment.DirectoryExists(dn))
                    {
                        throw new ArgumentException(string.Format("The required application directory {0} was not found.", dn), "application_options");
                    }
                    else
                    {
                        this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
                    }
                }
            }

            if (this.ApplicationOptions.ContainsKey("ApplicationBinary"))
            {
                string fn = CombinePath((string)this.ApplicationOptions["ApplicationBinary"]);
                if (!this.AuditEnvironment.FileExists(fn))
                {
                    throw new ArgumentException(string.Format("The specified application binary {0} does not exist.", fn), "application_options");
                }
                else
                {
                    this.ApplicationBinary = this.AuditEnvironment.ConstructFile(fn);
                }
            }

            if (this.AuditProfile == null)
            {
                AuditFileInfo pf = this.AuditEnvironment.ConstructFile(this.CombinePath("@devaudit.yml"));
                if (pf.Exists)
                {
                    this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
                }
            }
            if (this.ApplicationOptions.ContainsKey("PrintConfiguration"))
            {
                this.PrintConfiguration = true;
            }

            if (this.ApplicationOptions.ContainsKey("ListConfigurationRules"))
            {
                this.ListConfigurationRules = true;
            }

            if (this.ApplicationOptions.ContainsKey("OnlyLocalRules"))
            {
                this.OnlyLocalRules = true;
            }

            if ((this.ApplicationOptions.ContainsKey("AppDevMode")))
            {
                this.AppDevMode = true;
            }

            if ((this.ApplicationOptions.ContainsKey("OSUser")))
            {
                this.OSUser = (string)this.ApplicationOptions["OSUser"];
            }

            if ((this.ApplicationOptions.ContainsKey("OSPass")))
            {
                this.OSPass = this.AuditEnvironment.ToSecureString((string)this.ApplicationOptions["OSPass"]);
            }

            if ((this.ApplicationOptions.ContainsKey("AppUser")))
            {
                this.AppUser = (string)this.ApplicationOptions["AppUser"];
            }

            if ((this.ApplicationOptions.ContainsKey("AppPass")))
            {
                this.AppPass = this.AuditEnvironment.ToSecureString((string)this.ApplicationOptions["AppPass"]);
            }

            string[] ossi_apps = { "drupal", "ossi" };
            if (this.DataSources.Count == 0 && ossi_apps.Contains(this.PackageManagerId))
            {
                this.HostEnvironment.Info("Using OSS Index as default package vulnerabilities data source for {0} application.", this.PackageManagerLabel);
                this.DataSources.Add(new OSSIndexDataSource(this, this.DataSourceOptions));
            }
        }
Exemple #28
0
        public Application(Dictionary <string, object> application_options, Dictionary <string, string[]> RequiredFileLocationPaths, Dictionary <string, string[]> RequiredDirectoryLocationPaths, EventHandler <EnvironmentEventArgs> message_handler) : base(application_options, message_handler)
        {
            this.ApplicationOptions = application_options;
            if (this.ApplicationOptions.ContainsKey("RootDirectory"))
            {
                if (!this.AuditEnvironment.DirectoryExists((string)this.ApplicationOptions["RootDirectory"]))
                {
                    throw new ArgumentException(string.Format("The root directory {0} was not found.", this.ApplicationOptions["RootDirectory"]), "package_source_options");
                }
                else
                {
                    this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory((string)this.ApplicationOptions["RootDirectory"]));
                }
            }
            else
            {
                //throw new ArgumentException(string.Format("The root application directory was not specified."), "application_options");
                this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory(this.AuditEnvironment.PathSeparator));
            }

            this.RequiredFileLocations      = RequiredFileLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);
            this.RequiredDirectoryLocations = RequiredDirectoryLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);

            foreach (KeyValuePair <string, string> f in RequiredFileLocations)
            {
                if (!this.ApplicationOptions.ContainsKey(f.Key))
                {
                    if (string.IsNullOrEmpty(f.Value))
                    {
                        throw new ArgumentException(string.Format("The required application file {0} was not specified and no default path exists.", f), "application_options");
                    }
                    else
                    {
                        string fn = CombinePath(f.Value);
                        if (!this.AuditEnvironment.FileExists(fn))
                        {
                            throw new ArgumentException(string.Format("The default path {0} for required application file {1} does not exist.",
                                                                      fn, f.Key), "application_options");
                        }
                        else
                        {
                            this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
                        }
                    }
                }
                else
                {
                    string fn = CombinePath((string)ApplicationOptions[f.Key]);
                    if (!this.AuditEnvironment.FileExists(fn))
                    {
                        throw new ArgumentException(string.Format("The required application file {0} was not found.", f), "application_options");
                    }
                    else
                    {
                        this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
                    }
                }
            }

            foreach (KeyValuePair <string, string> d in RequiredDirectoryLocations)
            {
                string dn = CombinePath(d.Value);
                if (!this.ApplicationOptions.ContainsKey(d.Key))
                {
                    if (string.IsNullOrEmpty(d.Value))
                    {
                        throw new ArgumentException(string.Format("The required application directory {0} was not specified and no default path exists.", d.Key), "application_options");
                    }
                    else
                    {
                        if (!this.AuditEnvironment.DirectoryExists(dn))
                        {
                            throw new ArgumentException(string.Format("The default path {0} for required application directory {1} does not exist.",
                                                                      dn, d.Key), "application_options");
                        }
                        else
                        {
                            this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
                        }
                    }
                }
                else
                {
                    dn = CombinePath((string)ApplicationOptions[d.Key]);
                    if (!this.AuditEnvironment.DirectoryExists(dn))
                    {
                        throw new ArgumentException(string.Format("The required application directory {0} was not found.", dn), "application_options");
                    }
                    else
                    {
                        this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
                    }
                }
            }

            if (this.ApplicationOptions.ContainsKey("ApplicationBinary"))
            {
                string fn = CombinePath((string)this.ApplicationOptions["ApplicationBinary"]);
                if (!this.AuditEnvironment.FileExists(fn))
                {
                    throw new ArgumentException(string.Format("The specified application binary {0} does not exist.", fn), "application_options");
                }
                else
                {
                    this.ApplicationBinary = this.AuditEnvironment.ConstructFile(fn);
                }
            }

            if (this.AuditProfile == null)
            {
                AuditFileInfo pf = this.AuditEnvironment.ConstructFile(".devaudit");
                if (pf.Exists)
                {
                    this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
                }
            }
            if (this.ApplicationOptions.ContainsKey("PrintConfiguration"))
            {
                this.PrintConfiguration = true;
            }

            if (this.ApplicationOptions.ContainsKey("ListConfigurationRules"))
            {
                this.ListConfigurationRules = true;
            }

            if (this.ApplicationOptions.ContainsKey("OnlyLocalRules"))
            {
                this.OnlyLocalRules = true;
            }

            if ((this.ApplicationOptions.ContainsKey("AppDevMode")))
            {
                this.AppDevMode = true;
            }
        }
        public override IEnumerable <Package> GetPackages(params string[] o)
        {
            AuditFileInfo  config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
            List <Package> packages    = new List <Package>();

            if (config_file.Name.EndsWith(".csproj"))
            {
                this.AuditEnvironment.Info("Reading packages from .NET Core C# .csproj file.");
                string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
                string xml = config_file.ReadAsText();
                if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
                {
                    var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
                    xml = xml.Remove(0, lastIndexOfUtf8);
                }
                XElement root = XElement.Parse(xml);

                if (root.Name.LocalName == "Project")
                {
                    packages =
                        root
                        .Descendants()
                        .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute("Include") != null && x.Attribute("Version") != null)
                        .SelectMany(r => GetDeveloperPackages(r.Attribute("Include").Value, r.Attribute("Version").Value))
                        .ToList();

                    IEnumerable <string> skipped_packages =
                        root
                        .Descendants()
                        .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute("Include") != null && x.Attribute("Version") == null)
                        .Select(r => r.Attribute("Include").Value);

                    if (skipped_packages.Count() > 0)
                    {
                        this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
                                                      skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
                    }
                    return(packages);
                }
                else
                {
                    this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
                    return(packages);
                }
            }
            else if (config_file.Name.EndsWith(".deps.json"))
            {
                try
                {
                    this.AuditEnvironment.Info("Reading packages from .NET Core depedencies manifest..");
                    JObject json      = (JObject)JToken.Parse(config_file.ReadAsText());
                    JObject libraries = (JObject)json["libraries"];

                    if (libraries != null)
                    {
                        foreach (JProperty p in libraries.Properties())
                        {
                            string[] name = p.Name.Split('/');
                            packages.Add(new Package("nuget", name[0], name[1]));
                        }
                    }
                    return(packages);
                }
                catch (Exception e)
                {
                    this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
                    return(packages);
                }
            }
            else
            {
                this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
                return(packages);
            }
        }
Exemple #30
0
        protected override void DetectConfigurationFile(Dictionary <PlatformID, string[]> default_configuration_file_path)
        {
            bool set_config_from_process_cmdline = false;
            bool set_config_from_env             = false;
            bool set_config_from_my_cnf          = false;

            if (this.AuditEnvironment.IsUnix)
            {
                List <ProcessInfo> processes = this.AuditEnvironment.GetAllRunningProcesses();
                if (processes != null && processes.Any(p => p.CommandLine.Contains("mysqld") && (p.CommandLine.Contains("--user") || p.CommandLine.Contains("--datadir") || p.CommandLine.Contains("--basedir"))))
                {
                    ProcessInfo process = processes.Where(p => p.CommandLine.Contains("mysqld") && (p.CommandLine.Contains("--user") || p.CommandLine.Contains("--datadir") || p.CommandLine.Contains("--basedir"))).First();
                    Match       m       = Regex.Match(process.CommandLine, @"--defaults-file=(\S+)");
                    if (m.Success)
                    {
                        string        f  = m.Groups[1].Value;
                        AuditFileInfo cf = this.AuditEnvironment.ConstructFile(f);
                        if (cf.Exists)
                        {
                            this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
                            this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
                            set_config_from_process_cmdline = true;
                        }
                    }
                }
                if (!set_config_from_process_cmdline)
                {
                    Dictionary <string, string> env = this.AuditEnvironment.GetEnvironmentVars();
                    if (env != null)
                    {
                        if (env.ContainsKey("MY_CNF"))
                        {
                            if (!set_config_from_process_cmdline)
                            {
                                AuditFileInfo cf = this.AuditEnvironment.ConstructFile(env["MY_CNF"]);
                                if (cf.Exists)
                                {
                                    this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
                                    this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
                                    set_config_from_env = true;
                                }
                            }
                        }
                    }
                }
                if (!set_config_from_env)
                {
                    if (this.AuditEnvironment.FileExists(this.CombinePath("@", "etc", "my.cnf")))
                    {
                        AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", "etc", "my.cnf"));

                        this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
                        this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
                        set_config_from_my_cnf = true;
                    }
                    else if (this.AuditEnvironment.FileExists(this.CombinePath("@", "etc", "my", "my.cnf")))
                    {
                        AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", "etc", "my", "my.cnf"));

                        this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
                        this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
                        set_config_from_my_cnf = true;
                    }
                }
                if (!(set_config_from_process_cmdline || set_config_from_env || set_config_from_my_cnf))
                {
                    base.DetectConfigurationFile(default_configuration_file_path);
                }
            }
        }